[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3058) HTML and CSS sanitation filters for Seam Text
Christian Bauer (JIRA)
jira-events at lists.jboss.org
Sun Jun 1 07:10:45 EDT 2008
HTML and CSS sanitation filters for Seam Text
---------------------------------------------
Key: JBSEAM-3058
URL: http://jira.jboss.com/jira/browse/JBSEAM-3058
Project: Seam
Issue Type: Task
Components: Seam Text, Wiki
Reporter: Christian Bauer
Assigned To: Christian Bauer
Although we only allow certain elments and attributes, and do not allow quotes and ampersands in HTML fragments parsed through Seam Text, various XSS attack vectors are still open.
1. We can't remove IMG and A from the allowed list of HTML elements because they are already used in probably hundreds of documents. So we need to filter the SRC and HREF attribute values.
2. We need to filter the STYLE attribute on any element, because a) background:url(javascript) is executed on most browser b) Internet Explorer also executes background-color: expression(javascript). But, the STYLE attribute it is used for document layout on production sites (mostly with DIV elements) and there simply is no alternative.
The following rules from the Ruby/Python rules can be a starting point: http://wiki.whatwg.org/wiki/Sanitization_rules
First, implement the callbacks/stacks in seam-text.g so this filter can be hooked in as a SeamTextParser extension.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list